Charles Schwab's Web site is vulnerable to a well-known attack that could allow a hacker to gain access to sensitive account information, the company acknowledges.
Originally reported by San Francisco-based programmer Jeff Baker on the Bugtraq security mailing list on Wednesday, the vulnerability involves "cross-site scripting." The vulnerability, which uses popular Web programming languages such as JavaScript to hijack a customer's Web browser, is similar to one acknowledged by E*Trade in September.
By exploiting the vulnerability, "malicious users can fool other users' Web clients...which allows them to do things such as stealing that client/server's cookies," Elias Levy, Bugtraq's moderator and the chief technology officer of SecurityFocus.com, wrote in an advisory.
Calling the vulnerability a "common flaw," Levy blamed the problem in part on "the lack of good practices by programmers of Web-based applications."
Although security experts first issued a warning against cross-site scripting in February, security experts believe that dozens of sites may still be vulnerable to the attack.
Baker said he first notified Schwab of its vulnerability in late August. Although he exchanged several emails with Schwab about the problem, the company did not fix the problem, he said.
"The flaws still exist, and I have no reason to believe that they are in the process of being fixed," Baker said in his advisory on Bugtraq. "Schwab should strive to fix problems when given (four)-month advance notice. They should raise their ethical standards to alert their paying customers whenever a system vulnerability is reported."
But Schwab spokesman Greg Gable said the company has been working as quickly as possible to address the problem. After being notified of the vulnerability in August, Schwab took some minor steps to protect customers, he said. And Schwab plans to completely close the vulnerability by early next year via a computer change, he said.
"We take security issues extremely seriously," Gable said. "We take aggressive steps to minimize the risk."
But Gable played down the risk for customers, calling it a "very, very narrow possibility." Gable said the delay in closing the vulnerability had to do with balancing the ease of use of the site and the need to test the fix before implementing it.
"With a large system and a large customer base, we need to test thoroughly," he said.
Cross-site scripting allows hackers to run dangerous code within a Net user's browser or email client. Basically an attack on a Schwab user could allow the hacker to have access to all of the customer's account actions--such as buying and selling stocks or transferring funds while the customer was logged on to his account.
To protect against such an attack, Baker warned Schwab customers to disable JavaScript in their browsers, avoid accessing other Web sites or opening email while logged on to their Schwab accounts, and completely log off Schwab's site and close browsers when finished accessing accounts.